Month: November 2016

Have you ever sat at your desk, hoping on a miracle, that somebody somewhere will develop a fully comprehensive application for tracking network information??? I know I have, along with millions of other fellow network professional’s I have to assume. What exactly am I referring to? IP addresses, vlans, VRF’s, Rack Elevations and on and on and on. We all have to keep up with this information, for most it is located in spreadsheets; some in notepads; others try to lock it all away in the vast empty space we call a brain.

So, the stage is set. Yes, there are claims of applications that can keep track of what your CORE router IP address is and what vlan you assigned to one of your customers, or even where in the bloody rack it sits in relation to your other devices. Some can even keep track of which VRF routing table your management lies in along with which physical port it connects to. Going a little further, maybe the application claims to give you a basic map layout to which you can refer to…

BUT, very few paid applications actually combine most of these functions into one and very little if any Open Source projects do at all. Although I can think of maybe one or two programs such as iTop or phpIPAM that combine some useful features such as IPAM and documentation pools etc.

Which brings us to Netbox.

Netbox is a swiss army knife, a gem, a diamond in the rough. It combines all the features every person in the networking world needs, wants and should have. We found Netbox on packetlife.net which is run by Jeremy Stretch and who subsequently developed Netbox. If you want to read more about how it came to fruition, take a look here.

Basically, this is what Netbox does and it does it extremely well, its also Open Source and completely FREE:

IPAM – IP Address Management

DCIM – Data Center Infrastructure Management

Single Converged Database

Circuit Provider Management

Vlan Management

VRF Management

Multi-Site (tenancy)

Rack Elevation

Connection Management – Interfaces/Console/Power

Customization Header For Logo’s etc

And More!

Here are a few screen shots to highlight some of the above features:

Hopefully if you are as geeky as we are, you are biting at the bit to give this puppy a try. In that respect, there are a couple of options for you to give it a go.

Follow the written documentation provided by Jeremy. I have to say, the instructions are pretty spot on. They are lengthy though with the components needed in Linux to allow Netbox to work. You can find the documentation here if you wish to try yourself. I will not be going over the installation steps in the post because they are cemented in the provided link; though have no fear, there is the second option…

I took all the brain hurt and built a Virtual Machine and installed/configured Netbox for you, just follow the below steps and voila. Currently I have it ported to an OVF which you can use with VMWare ESX, VMWare Workstation.

Just follow these easy steps and you will have Netbox up and running in about 15 minutes (vs ???, I cant remember how much time I spent but still!). This is for VMWare ESXi using vSphere client.

Pick whether you like to Lazy provision or Thick provision (if you don’t know what this means, you probably should not be using VMWare)

Click next

Click Finish

Now this gets a provisioned server with Netbox installed, but don’t power it up yet, there are still a few more steps to complete.

You will need to add an Ethernet Adapter.

Right click your server

Select ‘Edit Settings’

Click on ‘Add’

Select ‘Ethernet Adapter’

Follow the prompts and finish

Now you can start the server and open the console to watch it boot and perform the final couple of steps and you will be up and running.

Once the server is at the login prompt, go ahead and login using these credentials (all usernames and passwords for the site and database are the same):

Username: netadmin

Password: netadmin

At the #, type ‘ifconfig’ and find your current IP address (hopefully assigned by your DHCP server on your network if you installed the network adapter as above) and note it.

ifconfig

Again, at # do the following using nano (my personal preference), you could substitute for your own like vi.

sudo nano /opt/netbox/netbox/netbox/configuration.py

The only parameter you need to change is the ALLOWED_HOSTS which needs to be the IP Address of the server and/or DNS name you want to assign. This is a security precaution to only allow web requests to either the IP or DNS configured in this file. Once you have edited, exit and save.

In summary, Netbox seems to be the solution many of us are looking for to keep us straight in the networking life. I for one will be glad to get away from spreadsheets, documents strewn about and in-cohesive scribble by other people; to a centralized repository of cohesive information and network bliss!

Long-time MikroTik users have been after better loop prevention mechanisms for quite a while now. Rapid STP within bridges was the only feature available up until Fall of 2016 and now MikroTik has released Rapid Spanning Tree in hardware for switched ports as well as a new Loop Protect feature that seems to serve the same function as Cisco’s Loop Guard but not utilize spanning tree to detect the loop. MikroTik’s version compares the source MAC of the loop protect frame with the MAC of the interface it is received on and if they match, it will disable the port until the timer expires and check again for the existence of a loop.

Loop protect seems to be designed more as an edge port protocol since it physically disables the port upon detection of a loop, whereas STP will leave the port physically active but logically block traffic on that path. Some potential use cases for enabling this feature could include:

Edge port on a MikroTik device facing the end subscriber equipment – this would cut down on loops (and outages) that feed back into the ISP because of subscribers plugging in “dumb” switches, hubs or bridged routers.

Edge port for an Enterprise or SMB user device to prevent loops causing a larger outage from unauthorized switches/hubs that have been plugged in on the edge port.

Data Center edge port for servers, routers or other devices that shouldn’t create a loop but still have the capacity to do so. An example would be a mis-configured vSwitch in a hypervisor.

Downstream switch connected to a router or switch that doesn’t have a physical topology that will allow a loop in normal operation, however, a cable plugged into two ports on the same switch or a down stream switch could still send a broadcast storm towards the port.

‘Loop Protect’ in the StubArea51 test lab

Below is an example lab we built to test the Loop protect feature. The idea was to intentionally create a loop between two Cisco 3750 switches that would propagate looped frames and broadcasts towards the ethernet port on a MikroTik CRS125 with Loop Protect enabled.

Click on the image for a larger version

Enabling the ‘Loop Protect’ feature in WinBox

By default, the feature is disabled. To enable it, you select the interface to enable it on –> navigate to the ‘Loop Protect’ tab –> select the first drop down menu and set it to on (some versions of 6.37 have a bug that show more than the three available settings of default,on and off). You can also adjust the ‘Send Interval’ which controls how frequently Loop Protect frames are sent out of the interface. There is a ‘Disable Time’ value that can be set which starts counting down as soon as a loop is detected and will bring the interface back online after the timer is expired and check again for the existence of a loop. This interface will cycle through disabling the interface and the disable timer so long as a loop is present.

Detecting a loop with ‘Loop Protect’ enabled

In the hardware lab above, we connected a second cable between two Cisco 3750 switches with spanning tree turned off and ‘Loop Protect’ detected the loop almost immediately as indicated by the message in red at the bottom of the picture below. The status has now been changed to disabled until the loop clears and the disable timer expires.

‘Loop Protect’ in the log

Like all good features, ‘Loop Protect” will add status messages to the log which show the following as the loop is detected and then cleared. If you send your log messages to an external syslog server, then you can create alerts to let you know when a port has gone down due to a loop.

11:17:08 – Loop is detected

11:17:08 – ether1 goes into disabled state

11:22:11 – The loop is cleared by the disable timer expiring (after unplugging the rogue cable between switches)